Apache2 reverse proxy issues with OTRS - apache

I have asked this question in OTRS forum but their primary focus is the functionality of OTRS and not really the interaction with an apache proxy.
I have an internal server running OTRS (Perl based support ticket system).
I have a reverse proxy in my DMZ that performs proxy and SSL offload for internal web pages/applications. My proxy server is Ubuntu 18 with Apache2. It mostly works except that for OTRS I get weird page errors. It used to not be bad but since update from OTRS 5 to OTRS6 it is so bad that we cannot we https except to log in.
If I use https it throws a message that "OTRS has detected possible network issues" and says to reload the page or wait till the browser establishes connection on it's own. If I wait just a bit I get a new message that states "the connection has been re-established after a temporary connection loss. Due to this elements on this page could have stopped working correctly" it goes on to say that you need to reload the page. But it just keeps cycling through these message in a flapping error.
I also get additional slash marks (/) each time I move to a new ticket.
Like so: https://myotrs.mydomain.com/otrs////////////index.pl?
The slash mark addition happens on both http and https through the proxy. It only happens on the OTRS site, not on my others handled by the same proxy.
Here is sample of my proxy vhost file.
<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
ServerAdmin it#mydomain.com
ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
ProxyPass / http://helpdesk.mydomain.local/
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
<Location /otrs-web>
ProxyPassReverse http://helpdesk.mydomain.local/otrs-web/
</Location>
# Use mod_proxy_html to rewrite URLs
SetOutputFilter proxy-html
# commented out
https://help.mydomain.com/otrs/
https://help.mydomain.com/otrs-web/
# Disable compressed communication between Apache and target server
RequestHeader unset Accept-Encoding
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Allows the proxying of an SSL connection
SSLProxyEngine On
# certificate
SSLCertificateFile /etc/ssl/certs/help.mydomain.com/help.mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>

I have checked out your config file, and i suggest you try to change
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
to
<Location /otrs/>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
In the original config file, if you browse https://myotrs.mydomain.com/otrs/index.pl you will be redirect to https://myotrs.mydomain.com/otrs//index.pl. And then, if you click the page, you will be redirect to https://myotrs.mydomain.com/otrs///index.pl. Then you are stuck in the circulation.

Related

Tomcat assets fail to load over Apache reverse proxy

Accessing my tomcat webapp over SSL (https) has been working for years, but recently something strange started happening, possibly related to using docker container tomcat:8-jdk8 (which is v 8.5.75) instead of tomcat:8.5.41-jdk8 (which is no longer available). When I try to access my tomcat app through Apache's reverse proxy, over SSL (https://example.com/myapp), the main wire framework HTML page loads, but all of the js and css assets get 404s because they are missing the app dir in the base url, so nothing visible actually loads on the page. For example, the html requests https://example.com/assets/ex.js instead of https://example.com/myapp/assets/ex.js (note myapp/).
However, I can access the app and everything is working 100% when accessed without Apache/SSL (http://example.com:8080/myapp).
Most strange of all, if I access the app without SSL (http://example.com:8080/myapp), and then in the same tab, change the url to the SSL path (https://example.com/myapp), then everything loads fine and functions properly. At that point, I can even Empty Cache and Hard Reload, and everything still loads fine over SSL. I checked the headers of all network requests, and everything is loading over SSL. This same behavior occurs in Chrome, Firefox, and Safari. However, in Chrome and Safari, if I visit any other website in that tab and then try to load my app over SSL, it fails; in Firefox, the same tab will keep loading my app regardless of interceding website visits.
The Apache config looks like this:
<VirtualHost *:80>
Servername example.com
## The following email address is setup in /etc/postfix/localusers
ServerAdmin webmaster#localhost
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com%{REQUEST_URI} [R=301,QSA,L]
## R=redirect, QSA=keep any query string, L=last rule to evaluate, stop.
</VirtualHost>
<VirtualHost *:443>
Servername example.com
UseCanonicalName On
ProxyPass /myapp http://127.0.0.1:8080/myapp/
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyDepth 2
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/example_ssl-error.log
CustomLog ${APACHE_LOG_DIR}/example_ssl-access.log combined
</VirtualHost>
The tomcat config is the default config that comes in the tomcat docker container. I do not have a META-INF/ directory in my project.
Question 1: why does tomcat provide the correct URLs over Apache/SSL only after the browser first visits tomcat directly without Apache/SSL?
Question 2: How can I get this app to load over SSL all the time (by always including the app name in the base url)?
Source and target paths in your redirects are inconsistent. Remove the last / in the target path.
ProxyPass /myapp http://127.0.0.1:8080/myapp
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp
The mapping with moreover / caused a double // in the path, which I guess caused problems down the road with processing the path in generation of the page.

Why is apache enforcing SSL (https)? How to undo this?

We are running a multi-host apache2 environment for several years. Out of a sudden apache no seems to require https.
Some trivial websites are cofigured without certificates on port 80 (and with self signed or let's-encrypt certificates on port 443).
With the recent automatic renewal of a let's-encrypt certificate I got an error message related to problems to retrieve the acme-challenge via http.
It seems to be related to a recent change of the default configuration of apache2 under Debian 4.19.x .
However I did not find any option in apache2 to undo the enforcement for SSL.
Here is my configuration for on of the respective vhost's (the problem exists also for another host):
<VirtualHost *:80 >
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
ErrorDocument 503 /ausserBetrieb.html
<Directory /data/www/htdocsantXXX>
Options FollowSymLinks MultiViews
<RequireAll>
require all granted
</RequireAll>
RedirectMatch ^/$ /index.html
</Directory>
ErrorLog /var/log/apache2/antXXX/errorantXXX.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/antXXX/accessantXXX.log combined
ServerSignature On
</VirtualHost>
<VirtualHost *:443>
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
...
</VirtualHost>
I was not able to find the respective option in the basic configuration of apache nor the error document that contains the HTML-Text for "This site is configured to require an SSL (https) connection...".
I know that there is the http-option Upgrade-Insecure-Requests: 1 . However the problem also exists, when retrieving the web document locally with curl -v http://www.antXXX.XX .
How can I undo the https-requirement for the respective vhosts?
Thank you for you support
Wallenstein
Oh sorry. Finally I have found the culprit.
I have recently experimented with the yubikey authorization in the module authn-yubikey .
Its activation seemed to enforce https. At least I found the respecitive HTML-code via the strings-command.
After disabling this module http-access was available again.
Wallenstein

Moqui running in jetty container behind httpd returns Error rendering screen

I have an httpd server configured and working. The server returns "It works" and I can see the SSL is installed correctly.
The next step I undertook was configuring the reverse proxy, so that the users requests are redirected and I can have more customers' apps under one subdomain. The httpd configuration (shown below) I use is not mine, I am just attempting to reconfigure it to work for me. But with no big success up to now. There are directives that may be incorrect, but I have not tried commenting anything out.
#Apache is listening on port 443
Listen 443
SSLSessionCache shmcb:c:/Apache24/logs/shmcb_cache(512000)
SSLSessionCacheTimeout 300
Mutex default ssl-cache
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
#ProxyPreserveHost On
SSLProxyEngine On
ServerName XXXX.sk
ServerAdmin admin
# Logs
ErrorLog /var/log/rsk_error_log
TransferLog /var/log/rsk_access_log
# Server Certificate and Private Key:
SSLCertificateFile /ssl/certificate.crt
SSLCertificateKeyFile /ssl/private.key
SSLCertificateChainFile /ssl/chain.crt
#Include conf/extra/proxy-443-to-8890.conf
ProxyPass /customer http://172.17.0.4:8080
ProxyPassReverse /customer http://172.17.0.4:8080
</VirtualHost>
Now when I type XXXX.sk/customer I receive a response which is a login screen, but it is incorrectly rendered, the CSS is not used at all. There are many errors appearing. When I log in, no response is returned and the URL is corrupted.
Can any of you, using httpd in a reverse proxy mode, please share your configs, at least a part of them?
The default webroot in base-component is mapping to / in url. All of resources like css, js etc is using "/" to build url, So Although the proxying is
ProxyPass /customer http://172.17.0.4:8080
The actual js location is still
/lib/jquery/jquery-ui.min.css
not
/customer/lib/jquery/jquery-ui.min.css
To make it work, the reverse proxy would need more messy location proxy_pass configurations.
So using additional path to proxy the webroot is not suggested.

Website resolves to local address using apache reverse proxy

I have set up a reverse proxy with apache and am pointing to 4 other apache wordpress server vm's on my local network.
When I go to the websites on 3 of them (like www.mywebsite.com externally from my computer at work), they resolve fine and the sites produce the page correctly.
When I try to connect to the 4th site, it redirects me to a 192 address which is what I have in the proxy config but it does not resolve correctly like the other sites. I literally copy and pasted each block in the 000-default.conf so I know they are identical.
The proxy works and is moving the traffic but will try to resolve locally. Here is the block from my 000-default.conf.
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.mywebsite.com
ServerAdmin myemail#gmail.com
DocumentRoot /var/www/html
ProxyPass / http://192.168.1.23:80/
ProxyPassReverse / http://192.168.1.23:80/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Im not sure what is different between the sites. Ive done this quite a few times and never had the issue. Could this be an issue with the web server on the 4th site? These are all VM's running ubuntu server with lamp.
It looks like it was an issue with the 4th server and how it was handling the index file with wordpress. It seems that Wordpress had to be provisioned locally first. But, I dont remember doing this with the other sites. All is well now.

Application error passthru when using apache mod_proxy

Heyas. I'm using mod_proxy with apache2 provide vhost ability to multiple servlet apps running on the local machine. It works fine, for the most part. Requests come into apache then are directed to the application bound on a port on localhost. The app receives the request and responds, which is delivered back to the client by apache.
The problem I'm having is that the application delivers 500's on errors, and mod_proxy stomps on them. Often these errors are caused in a ajax request and the error is handled in client side javascript. For example, a call to a server side createObject(name) might throw a NameNotUniqueException , which is delivered back as a 500. The client javascript might then display an appropriate error message.
When an error is thrown by the application (resulting in a 500 response to mod_proxy), then apache stomps the error message and returns
500 Internal Server Error
Internal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
.. the stock apache server side error message.
I want mod_proxy to pass the original 500 back through to the client. Is there a directive I've missed which prevents clobbering of the 500?
TIA
Do you have
ProxyRequests Off
ProxyErrorOverride Off
ProxyPass /path/ http://backend.ip/path/
ProxyPassReverse / http://backend.domain/
Replace backend.ip and backend.domain with your values (i am using backend.ip here as it prevents apache from running dns queries on each request).
Usually errors are reported as is. Because ProxyErrorOverride defaults to off. If this doe not happen with my configuration, please check if the 500 is really from your backend server. Or just show us your complete proxy configuration.
I have the same problem, getting a blank 500 pages since changing from apache2/mod_wsgi to apache2 with reverse proxy to mod_wsgi-express.
My config (replaced actual domain with www.example.com):
<VirtualHost *:443>
ServerName www.example.com
ProxyRequests Off
ProxyErrorOverride Off
ProxyPass / http://localhost:8001/
ProxyPassReverse / https://www.example.com/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ErrorLog /var/log/apache2/www.example.com.error.log
LogLevel warn
CustomLog /var/log/apache2/www.example.com.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/fullchain.pem
</VirtualHost>